Times are getting hard for concerns that collect or sell information about individuals. People are becoming more concerned about their privacy and want their personal information protected. It’s taken a while, but folks are waking up to the fact that information about who they are, where they live, what they like to do, what they like to buy and a plethora of other information is being systematically collected and sold all the time.
National information security and privacy legislation has been bandied about now for a long time, but with no results as yet. So, the States are getting sick of waiting and are drafting their own privacy acts, especially since the inception of the European Union’s General Data Protection Regulation (GDPR).
The first of the States to jump on the band wagon is California with their California Consumer Privacy Act (CCPA). It didn’t take them long either. It was introduced in January of 2018 and signed into law in June the same year. And although it doesn’t go into effect until January 1 of 2020, you really only have a short time left to get your ducks in a row; legal action under the law will extend back to July of 2019.
This law doesn’t apply to all organizations though. To be subject, the business must be one that collects consumers’ personal information (PI), that does business in California and that either has gross annual revenues in excess of 25 million dollars, or possesses the PI of at least 50,000 consumers or that earns more than 50% of its annual revenue from selling consumers’ PI.
If you fall into this group, it’s time to start planning. You will need to be able to identify what PI you have, where all it is stored, how to get to it and how to delete it from your systems. California residents will have the right to know what PI is being collected about them, whether it is being sold or disclosed and who it is being sold to. If they don’t like what is being done with their PI, you have to grant them access to their PI and stop selling or disclosing it if they say so. Are your policies, procedures and systems currently capable of tracking and deleting PI in this manner. I don’t personally know many companies are prepared in this way.
Also, can your company handle the penalties that could be levied against it under this act? Under civil class action law suits, companies that have a data breach can be ordered to pay between $100 and $750 per resident and incident, or the actual damages if greater. Or the California AG’s Office can prosecute instead. Intentional violations can carry up to a $7,500 penalty per incident.
Other things to consider are the clash between personal privacy rights and data retention regulations that already exist under laws such a HIPAA. How are you going to delete PHI from your systems if HIPAA says you have to keep it for six years? It’s going to take new strategies and lots of planning to handle all these complexities.
If you don’t meet these criteria or don’t do business in California, don’t get too complacent. Since California passed CCPA last year, lots of other states are framing their own privacy laws; a situation that can easily get out of hand. This is putting real pressure on the national legislature to finally get going and pass the national data security and privacy laws that we should have had for years now. And if these national laws do come about, I doubt they will be any easier to deal with than CCPA.